auth: support OIDC authentication provider and token authentication (#…

…496)

### Motivation

We should support some general authentication methods for the Oxia
server for security concerns.

### Modification

- Support basic OIDC authentication provider on the server
- Support basic token authentication on the client
- Support integration test for OIDC with the token.

### Next

- Performance will be affected Since we use GRPC per call
authentication. We might do a cache for the token to improve the
performance.
- For next improvement. We can customise a transport layer
authentication. But we already have mTLS. We can evaluate it in the
future.

.golangci.yaml

@@ -92,7 +92,7 @@ linters-settings:
         severity: warning
         disabled: false
         arguments:
-          - 12
+          - 15
       - name: cyclomatic
         severity: warning
         disabled: false

cmd/health/cmd.go

@@ -63,7 +63,7 @@ func init() {
 }
 
 func exec(*cobra.Command, []string) error {
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	serverAddress := fmt.Sprintf("%s:%d", config.Host, config.Port)
 

cmd/health/cmd_test.go

@@ -16,6 +16,7 @@ package health
 
 import (
 	"fmt"
+	"github.com/streamnative/oxia/server/auth"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -32,7 +33,7 @@ func TestHealthCmd(t *testing.T) {
 	_health := health.NewServer()
 	server, err := container.Default.StartGrpcServer("health", "localhost:0", func(registrar grpc.ServiceRegistrar) {
 		grpc_health_v1.RegisterHealthServer(registrar, _health)
-	}, nil)
+	}, nil, &auth.Options{})
 	assert.NoError(t, err)
 	defer func() {
 		_ = server.Close()

cmd/server/cmd.go

@@ -43,6 +43,8 @@ var (
 )
 
 func init() {
+	Cmd.Flags().SortFlags = false
+
 	flag.PublicAddr(Cmd, &conf.PublicServiceAddr)
 	flag.InternalAddr(Cmd, &conf.InternalServiceAddr)
 	flag.MetricsAddr(Cmd, &conf.MetricsServiceAddr)
@@ -52,6 +54,8 @@ func init() {
 	Cmd.Flags().BoolVar(&conf.WalSyncData, "wal-sync-data", true, "Whether to sync data in write-ahead-log")
 	Cmd.Flags().Int64Var(&conf.DbBlockCacheMB, "db-cache-size-mb", kv.DefaultFactoryOptions.CacheSizeMB,
 		"Max size of the shared DB cache")
+	Cmd.Flags().StringVar(&conf.AuthOptions.ProviderName, "auth-provider-name", "", "Authentication provider name. supported: oidc")
+	Cmd.Flags().StringVar(&conf.AuthOptions.ProviderParams, "auth-provider-params", "", "Authentication provider params. \n oidc: "+"{\"allowedIssueURLs\":\"required1,required2\",\"allowedAudiences\":\"required1,required2\",\"userNameClaim\":\"optional(default:sub)\"}")
 
 	// server TLS section
 	Cmd.Flags().StringVar(&serverTLS.CertFile, "tls-cert-file", "", "Tls certificate file")

common/client_pool.go

@@ -22,6 +22,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/streamnative/oxia/oxia/auth"
+
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 
@@ -48,14 +50,16 @@ type clientPool struct {
 	sync.RWMutex
 	connections map[string]grpc.ClientConnInterface
 
-	tls *tls.Config
-	log *slog.Logger
+	tls            *tls.Config
+	authentication auth.Authentication
+	log            *slog.Logger
 }
 
-func NewClientPool(tlsConf *tls.Config) ClientPool {
+func NewClientPool(tlsConf *tls.Config, authentication auth.Authentication) ClientPool {
 	return &clientPool{
-		connections: make(map[string]grpc.ClientConnInterface),
-		tls:         tlsConf,
+		connections:    make(map[string]grpc.ClientConnInterface),
+		tls:            tlsConf,
+		authentication: authentication,
 		log: slog.With(
 			slog.String("component", "client-pool"),
 		),
@@ -142,11 +146,15 @@ func (cp *clientPool) getConnection(target string) (grpc.ClientConnInterface, er
 		tcs = credentials.NewTLS(cp.tls)
 	}
 
-	cnx, err := grpc.NewClient(target,
+	options := []grpc.DialOption{
 		grpc.WithTransportCredentials(tcs),
 		grpc.WithStreamInterceptor(grpcprometheus.StreamClientInterceptor),
 		grpc.WithUnaryInterceptor(grpcprometheus.UnaryClientInterceptor),
-	)
+	}
+	if cp.authentication != nil {
+		options = append(options, grpc.WithPerRPCCredentials(cp.authentication))
+	}
+	cnx, err := grpc.NewClient(target, options...)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error connecting to %s", target)
 	}

common/container/container.go

@@ -22,6 +22,8 @@ import (
 	"net"
 	"os"
 
+	"github.com/streamnative/oxia/server/auth"
+
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 
@@ -44,16 +46,16 @@ type GrpcServer interface {
 }
 
 type GrpcProvider interface {
-	StartGrpcServer(name, bindAddress string, registerFunc func(grpc.ServiceRegistrar), tlsConf *tls.Config) (GrpcServer, error)
+	StartGrpcServer(name, bindAddress string, registerFunc func(grpc.ServiceRegistrar), tlsConf *tls.Config, options *auth.Options) (GrpcServer, error)
 }
 
 var Default = &defaultProvider{}
 
 type defaultProvider struct {
 }
 
-func (*defaultProvider) StartGrpcServer(name, bindAddress string, registerFunc func(grpc.ServiceRegistrar), tlsConf *tls.Config) (GrpcServer, error) {
-	return newDefaultGrpcProvider(name, bindAddress, registerFunc, tlsConf)
+func (*defaultProvider) StartGrpcServer(name, bindAddress string, registerFunc func(grpc.ServiceRegistrar), tlsConf *tls.Config, options *auth.Options) (GrpcServer, error) {
+	return newDefaultGrpcProvider(name, bindAddress, registerFunc, tlsConf, options)
 }
 
 type defaultGrpcServer struct {
@@ -64,16 +66,41 @@ type defaultGrpcServer struct {
 }
 
 func newDefaultGrpcProvider(name, bindAddress string, registerFunc func(grpc.ServiceRegistrar),
-	tlsConf *tls.Config) (GrpcServer, error) {
+	tlsConf *tls.Config, authOptions *auth.Options) (GrpcServer, error) {
 	tcs := insecure.NewCredentials()
 	if tlsConf != nil {
 		tcs = credentials.NewTLS(tlsConf)
 	}
+	streamInterceptors := []grpc.StreamServerInterceptor{
+		grpcprometheus.StreamServerInterceptor,
+	}
+	unaryInterceptors := []grpc.UnaryServerInterceptor{
+		grpcprometheus.UnaryServerInterceptor,
+	}
+	if authOptions.IsEnabled() {
+		provider, err := auth.NewAuthenticationProvider(context.Background(), *authOptions)
+		if err != nil {
+			slog.Error("Failed to init authentication provider",
+				slog.Any("authOptions", *authOptions),
+				slog.Any("error", err))
+			return nil, err
+		}
+		delegator, err := auth.NewGrpcAuthenticationDelegator(provider)
+		if err != nil {
+			slog.Error("Failed to init grpc authentication delegator",
+				slog.Any("authOptions", *authOptions),
+				slog.Any("error", err))
+			return nil, err
+		}
+		unaryInterceptors = append(unaryInterceptors, delegator.GetUnaryInterceptor())
+		streamInterceptors = append(streamInterceptors, delegator.GetStreamInterceptor())
+	}
+
 	c := &defaultGrpcServer{
 		server: grpc.NewServer(
 			grpc.Creds(tcs),
-			grpc.ChainStreamInterceptor(grpcprometheus.StreamServerInterceptor),
-			grpc.ChainUnaryInterceptor(grpcprometheus.UnaryServerInterceptor),
+			grpc.ChainStreamInterceptor(streamInterceptors...),
+			grpc.ChainUnaryInterceptor(unaryInterceptors...),
 			grpc.MaxRecvMsgSize(maxGrpcFrameSize),
 		),
 	}

coordinator/coordinator.go

@@ -90,7 +90,7 @@ func New(config Config) (*Coordinator, error) {
 	)
 
 	s := &Coordinator{
-		clientPool: common.NewClientPool(config.PeerTLS),
+		clientPool: common.NewClientPool(config.PeerTLS, nil),
 	}
 
 	var metadataProvider impl.MetadataProvider

coordinator/coordinator_rpc_server.go

@@ -17,6 +17,8 @@ package coordinator
 import (
 	"crypto/tls"
 
+	"github.com/streamnative/oxia/server/auth"
+
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/health"
 	"google.golang.org/grpc/health/grpc_health_v1"
@@ -37,7 +39,7 @@ func newRpcServer(bindAddress string, tlsConf *tls.Config) (*rpcServer, error) {
 	var err error
 	server.grpcServer, err = container.Default.StartGrpcServer("coordinator", bindAddress, func(registrar grpc.ServiceRegistrar) {
 		grpc_health_v1.RegisterHealthServer(registrar, server.healthServer)
-	}, tlsConf)
+	}, tlsConf, &auth.Disabled)
 	if err != nil {
 		return nil, err
 	}

coordinator/impl/cluster_rebalance.go

@@ -131,7 +131,7 @@ outer:
 	return res
 }
 
-func getShardsPerServer(servers []model.ServerAddress, currentStatus *model.ClusterStatus) ( //nolint:revive
+func getShardsPerServer(servers []model.ServerAddress, currentStatus *model.ClusterStatus) (
 	existingServers map[model.ServerAddress]common.Set[int64],
 	deletedServers map[model.ServerAddress]common.Set[int64]) {
 	existingServers = map[model.ServerAddress]common.Set[int64]{}

coordinator/impl/coordinator_e2e_test.go

@@ -68,7 +68,7 @@ func TestCoordinatorE2E(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	coordinator, err := NewCoordinator(metadataProvider, func() (model.ClusterConfig, error) { return clusterConfig, nil }, nil, NewRpcProvider(clientPool))
 
@@ -106,7 +106,7 @@ func TestCoordinatorE2E_ShardsRanges(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	coordinator, err := NewCoordinator(metadataProvider, func() (model.ClusterConfig, error) { return clusterConfig, nil }, nil, NewRpcProvider(clientPool))
 	assert.NoError(t, err)
@@ -159,7 +159,7 @@ func TestCoordinator_LeaderFailover(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	coordinator, err := NewCoordinator(metadataProvider, func() (model.ClusterConfig, error) { return clusterConfig, nil }, nil, NewRpcProvider(clientPool))
 	assert.NoError(t, err)
@@ -263,7 +263,7 @@ func TestCoordinator_MultipleNamespaces(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	coordinator, err := NewCoordinator(metadataProvider, func() (model.ClusterConfig, error) { return clusterConfig, nil }, nil, NewRpcProvider(clientPool))
 	assert.NoError(t, err)
@@ -354,7 +354,7 @@ func TestCoordinator_DeleteNamespace(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	coordinator, err := NewCoordinator(metadataProvider, func() (model.ClusterConfig, error) { return clusterConfig, nil }, nil, NewRpcProvider(clientPool))
 	assert.NoError(t, err)
@@ -436,7 +436,7 @@ func TestCoordinator_DynamicallAddNamespace(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	configChangesCh := make(chan any)
 	configProvider := func() (model.ClusterConfig, error) {
@@ -524,7 +524,7 @@ func TestCoordinator_RebalanceCluster(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 	mutex := &sync.Mutex{}
 
 	configProvider := func() (model.ClusterConfig, error) {
@@ -622,7 +622,7 @@ func TestCoordinator_AddRemoveNodes(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	configProvider := func() (model.ClusterConfig, error) {
 		return clusterConfig, nil
@@ -684,7 +684,7 @@ func TestCoordinator_ShrinkCluster(t *testing.T) {
 		}},
 		Servers: []model.ServerAddress{sa1, sa2, sa3, sa4},
 	}
-	clientPool := common.NewClientPool(nil)
+	clientPool := common.NewClientPool(nil, nil)
 
 	configProvider := func() (model.ClusterConfig, error) {
 		return clusterConfig, nil

go.mod

@@ -66,16 +66,20 @@ require (
 	github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect
 	github.com/cockroachdb/redact v1.1.5 // indirect
 	github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06 // indirect
+	github.com/coreos/go-oidc/v3 v3.10.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/getsentry/sentry-go v0.21.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang/glog v1.2.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
@@ -98,6 +102,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
@@ -116,6 +121,7 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.27.0 // indirect
 	go.opentelemetry.io/otel/trace v1.27.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
 	golang.org/x/oauth2 v0.19.0 // indirect
 	golang.org/x/term v0.20.0 // indirect
 	golang.org/x/text v0.16.0 // indirect

go.sum

@@ -21,6 +21,8 @@ github.com/cockroachdb/redact v1.1.5 h1:u1PMllDkdFfPWaNGMyLD1+so+aq3uUItthCFqzwP
 github.com/cockroachdb/redact v1.1.5/go.mod h1:BVNblN9mBWFyMyqK1k3AAiSxhvhfK2oOZZ2lK+dpvRg=
 github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06 h1:zuQyyAKVxetITBuuhv3BI9cMrmStnpT18zmgmTxunpo=
 github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06/go.mod h1:7nc4anLGjupUW/PeY5qiNYsdNXj7zopG+eqsS7To5IQ=
+github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
+github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -51,6 +53,10 @@ github.com/getsentry/sentry-go v0.21.0 h1:c9l5F1nPF30JIppulk4veau90PK6Smu3abgVtV
 github.com/getsentry/sentry-go v0.21.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
+github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
+github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
+github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -67,6 +73,8 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
 github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -76,6 +84,7 @@ github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -132,6 +141,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 h1:9bCMuD3TcnjeqjPT2gSlha4asp8NvgcFRYExCaikCxk=
+github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25/go.mod h1:eDjgYHYDJbPLBLsyZ6qRaugP0mX8vePOhZ5id1fdzJw=
 github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
 github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
 github.com/onsi/gomega v1.31.0 h1:54UJxxj6cPInHS3a35wm6BK/F9nHYueZ1NVujHDrnXE=
@@ -194,6 +205,7 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
@@ -225,8 +237,11 @@ go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnw
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc h1:O9NuF4s+E/PvMIy+9IUZB9znFwUIXEWSstNjek6VpVg=
 golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=